Wednesday, January 03, 2018

Monitoring the Monitors: Using SDR to snoop on my wireless alarm system (Part 1)

This talk on decoding wireless tire pressure monitors got me thinking: what other wireless electronics could I snoop on? I've done this in the past with our neighborhood utility boxes, but that was little more than running a program someone else wrote. The tire pressure decoding work is remarkable in that an individual managed to turn wireless noise into useful data. Even if you're not a radio hacker, the talk is worth your time, just to see how seemingly dark systems can be illuminated given the right know-how.

I racked my brain for a good wireless device to poke around and then it hit me: what about my alarm system? I don't know much in the way of technical details of our system, but I do know it's wireless. Which should mean that each alarm component is sending bursts of radio traffic to one central receiver. I doubted that I could decode the bursts of traffic, but if I could monitor them, that could be useful.

First things first, I popped the cover off of one our motion detectors and grabbed a photo:

I jotted down every number I could see (which I also scrubbed from the above photo) and started Google. In a few minutes I found a technical installation guide, and from there I found an FCC ID. Using this FCC ID, I found more details about the device, most of which meant nothing to me. But the FCC page did include one critical bit of info: the wireless motion detector broadcast at 345Mhz.

This isn't exactly a surprise, nor is it top secret. If you look at the 345Mhz spectrum, you'll see tons of devices that utilize it. From motion detectors to an Active Fall Detection Pendant. If I knew my radio devices better, I could have almost certainly skipped the above exercise and just assumed that my alarm peripherals operate at or near 345Mhz.

Armed with this information, I fired up SDR Touch and tuned it to 345Mhz. I started the recording when I was out of range from all motion detectors. I then walked into view of the detector. And what do you know, there was a burp of radio activity. I repeated this a few times and then did the same with opening and closing our front door (which has a door sensor on it):

The red boxes in the waterfall above correspond to me triggering the motion detector, while the orange boxes correspond to the front door.

I was delighted to see that my assumption was correct. The alarm devices do sit there quietly and transmit when they are triggered. This is definitely information I can use.

While this is interesting and all, it's not very useful. What I really need is a way of programmatically extracting this radio data and turning it into a stream of relevant data ("Door Triggered" or "Motion #2 Triggered"). That's the next challenge to tackle. Stay tuned.